How the DoJ’s new FCPA policy may affect companies

Jan 10, 2018
Policy creates additional incentives for companies to self-report FCPA issues

On November 29, 2017, Deputy Attorney General Rod Rosenstein announced the US Department of Justice’s (DoJ) new FCPA corporate enforcement policy. Although the policy in most ways continues and makes permanent the fraud section’s 2016 pilot program, in certain key ways it changes the DoJ’s enforcement program.

The pilot program gave guidance to prosecutors for corporate resolutions in FCPA cases, and was intended to motivate companies to voluntarily self-disclose misconduct, co-operate with the fraud section and remediate weaknesses in their controls and compliance programs. Although the new policy represents an important step forward and creates additional incentives to self-report, it does not solve many of the risks to self-reporting or the many other challenges faced by companies with FCPA issues. 

More emphasis on compliance and the board
The pilot program was noteworthy in part for its list of factors for an effective compliance program. The majority of those factors focus on the compliance function: its resources, independence, the quality and experience of its personnel, their compensation and promotional opportunities and their reporting structure.

It has been my position that this list was an effort by the DoJ to get a sense of how seriously compliance is taken within an organization. For example, if a company takes compliance seriously, it has serious people in the compliance function who have serious resources and are taken seriously – and, therefore, are promoted and compensated properly. Significantly, these factors are carried through to the new policy. But the new policy also adds two new factors to consider: the ‘authority’ of the compliance function and ‘the availability of compliance expertise to the board.’

These changes reinforce my position. Empowering the compliance function with sufficient authority helps a company demonstrate its serious commitment to compliance. Similarly, if the board has access to compliance expertise and uses it, the company should be better able to demonstrate the board’s meaningful commitment to compliance and how it sets proper tone from the top.

Potential new benefits
One of the most significant changes in the policy is the new presumption of declination – a decision that the government will not bring a prosecution. Companies that self-report, co-operate and remediate (ie meet the ‘three criteria’) will, absent aggravating circumstances, receive a presumption of a declination, rather than merely being considered for a declination.

Critics have suggested that the laundry list of exceptions for such aggravating circumstances swallow the rule. I do not believe this will be the case. Were the DoJ to rely frequently on the ‘wiggle room’ in the policy to avoid declinations (at least in the absence of significant and obvious aggravating circumstances), it would reduce trust and substantially undermine the department’s stated goal of encouraging self-reporting. The DoJ made good on the promises offered in the pilot program, and I expect it to do so under the new policy.

For those companies that meet the three criteria, but do not warrant a declination due to aggravating circumstances (other than recidivism), an additional benefit is still available. The DoJ has committed to a 50 percent reduction from the low end of the sentencing guidelines, rather than the ‘up to’ 50 percent offered by the pilot program. The additional certainty of the full 50 percent discount weighs in favor of self-reporting.

Unfortunately, the decision to self-report remains a complicated calculation. There are several countervailing considerations, including:

  • The risk, no matter how small, that the DoJ rejects declination
  • The SEC is not bound by the policy, nor are foreign authorities, some of which cannot fully credit self-reporting or co-operation
  • The policy covers only FCPA violations, but co-operation arguably requires disclosure of other known offenses
  • Even with a declination, self-reporting often comes with significant costs, such as hiring lawyers, forensics firms and other service providers to investigate, co-operate and remediate. Other significant potential costs arise from disgorgement, negative publicity and internal distraction from business activities.

Nevertheless, the policy creates increased pressure to seriously consider self-reporting. For those that choose not to self-report but then later face a DoJ investigation, forgoing the possibility of a declination may very well be viewed – with the benefit of hindsight – as a grave mistake.

Removal of self-reporting credit limit
Many companies were potentially ineligible for self-reporting under the pilot program because disclosures that ‘a company is required to make, by law, agreement or contract’ were deemed not to qualify. This was a significant limitation. For example, issuers arguably have obligations to report a significant FCPA violation in their SEC filings, particularly if it had a material impact on their financial statements.

The new policy eliminates this exception. Whether or not the DoJ would have relied on such a loophole to invalidate otherwise legitimate self-reporting, the change provides greater certainty to those companies under such a disclosure obligation.

Conflicts avoidance benefit
The policy continues the pilot program’s requirement that companies avoid conflicts between the internal investigation and the government investigation, if asked. But the policy also imposes new limitations. Now, such requests to ‘defer investigative steps… will be made for a limited period of time and will be narrowly tailored to a legitimate investigative purpose….’ The policy also requires that the company be notified that the DoJ is lifting such requests ‘once the justification dissipates.’

This change offers a significant potential benefit to companies. Even reasonable requests to defer interviewing employees or third parties can seriously impact a company’s ability to understand the issues it faces, meet its obligations to owners/shareholders and remediate promptly.

Additional requirements for full remediation
The policy also imposes new remediation requirements. First, companies are now required to demonstrate a thorough root-cause analysis ‘and, where appropriate, remediation to address the root causes.’ Although previous fraud section guidance implied that root-cause analysis was expected, it is now a formal requirement.

Second – and perhaps the most noteworthy change in the policy – companies must now, as part of remediation,  ensure ‘[a]ppropriate retention of business records, and prohibit[] the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications.’

This seems to be a shot across the bow for companies whose employees conduct business and communicate through mobile apps that do not allow them to maintain, capture and review data. Companies should seriously consider implementing such policies sooner rather than later (or as remediation).

Disgorgement as a condition of declination
The pilot program broke new ground by tying declinations to the disgorgement of profits from the corrupt scheme at issue. The policy appears to take this concept a bit further, at least semantically. Although the pilot program stated that ‘the company should be required to disgorge all profits from the FCPA misconduct’, the policy states that ‘the company is required to pay all disgorgement, forfeiture, and/or restitution resulting from the misconduct.’ (Emphasis added by author here.)

Like it or not, declinations with disgorgement are likely here to stay, even though such a requirement is a countervailing consideration in the self-report calculation.

Separating different declinations
Before the issuance of the policy, the DoJ did not distinguish between two types of declinations: (i) where there is a provable violation, but the DoJ declined to prosecute because the company met the three criteria; (ii) where the DoJ should not have brought the case in the first place, either because of a legal impediment, a proof problem or some other equitable consideration.

I have heard complaints that by conflating these two types, it became impossible to know whether the declinations truly resulted from self-reporting, co-operation and remediation. The lack of transparency fueled continued distrust in the benefits of self-reporting. Significantly, the policy addresses this criticism. Declinations pursuant to the policy are treated distinctly from cases that would have been declined in the absence of meeting the three criteria. Only the former will be made public, so that it will now be clear when self-reporting resulted in the declination.

Incorporation in the US Attorneys’ Manual
One final change is that the policy is incorporated in the US Attorneys’ Manual and is therefore binding on all US Attorney’s Offices, rather than just the FCPA unit within the fraud section of the Criminal Division. Although the FCPA unit always held the exclusive authority to bring such cases, this change may help to eliminate any potential disagreements between fraud section leadership and the US Attorney’s Office involved in a particular matter.

Tension between co-operation and waiving privilege
The policy is important not only because of the changes it makes to the pilot program, but also because of how much it keeps the same. I highlight here only one non-change: although both the pilot program and the policy say all the right things about not requiring the waiver of attorney-client privilege as part of co-operation, the policy maintains the inevitable tension between the two.

As part of co-operation, companies are required to disclose not just ‘all relevant facts gathered during a company’s independent investigation’ but also ‘attribution of facts to specific sources where such attribution does not violate the attorney-client privilege, rather than a general narrative of the facts.’

The DoJ prefers attribution of facts to specific sources, which makes logical sense. Take, for example, a hypothetical traffic accident. How meaningful is the disclosure of the ‘fact’ that the ‘light was red’ if one does not learn how many people thought the light was red, how many people said the light was green and who each of the witnesses were, so that the DoJ can decide which witnesses to interview, assess everyone’s credibility and come to its own judgment.

But almost all fact gathering in internal investigations is performed under privilege, meaning that attribution of facts to specific sources raises serious risk of waiving the privilege. The pressure faced by companies (and at times created by the DoJ) to bend here can be substantial.

Matthew Queler is a principal with Deloitte Financial Advisory Services LLP. Previously, Matt served as an assistant chief in the DoJ’s FCPA unit.

The opinions and observations set forth in this article are those of the author and do not represent, and should not be relied upon, as legal advice. Neither the author nor any Deloitte US entity provides legal advice.

Sign up to get stories direct to your inbox
Cs logo Cs logo